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Abstract. We consider the problem of intruder deduction in security protocol analysis: 
that is, deciding whether a given message M can be deduced from a set of messages F 
under the theory of blind signatures and arbitrary convergent equational theories modulo 
associativity and commutativity (AC) of certain binary operators. The traditional for- 
mulations of intruder deduction are usually given in natural-deduction-like systems and 
proving decidability requires significant effort in showing that the rules are "local" in some 
sense. By using the well-known translation between natural deduction and sequent calcu- 
lus, we recast the intruder deduction problem as proof search in sequent calculus, in which 
locality is immediate. Using standard proof theoretic methods, such as permutability of 
rules and cut elimination, we show that the intruder deduction problem can be reduced, 
in polynomial time, to the elementary deduction problem, which amounts to solving cer- 
tain equations in the underlying individual equational theories. We show that this result 
extends to combinations of disjoint AC-convergent theories whereby the decidability of 
intruder deduction under the combined theory reduces to the decidability of elementary 
deduction in each constituent theory. Although various researchers have reported similar 
results for individual cases, our work shows that these results can be obtained using a 
systematic and uniform methodology based on the sequent calculus. To further demon- 
strate the utility of the sequent-based approach, we show that, for Dolev-Yao intruders, 
our sequent-based techniques can be used to solve the more difficult problem of solving 
deducibility constraints, where the sequents to be deduced may contain gaps (or variables) 
representing possible messages the intruder may produce. In particular, we show that 
there is a finite representation of all solutions to such a constraint problem. 



1. Introduction 

One of the fundamental aspects of the analysis of security protocols is the model of 
the intruder that seeks to compromise the protocols. In many situations, such a model can 
be described in terms of a deduction system which gives a formal account of the ability of 
the intruder to analyse and synthesize messages. As shown in many previous works (see, 
e.g., ISIEIIIIIIS]), finding attacks on protocols can often be framed as the problem of deciding 
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whether a certain formal expression is derivable in the deduction system which models the 
intruder capability. The latter is sometimes called the intruder deduction problem, or the 
(ground) reachability problem. A basic deductive account of the intruder's capability is 
based on the so-called Dolev-Yao model, which assumes perfect encryption. While this 
model has been applied fruitfully to many situations, a stronger model of intruders is needed 
to discover certain types of attacks. For example, a recent survey |13] shows that attacks 
on several protocols used in real-world communication networks can be found by exploiting 
algebraic properties of encryption functions. 

The types of attacks mentioned in |13j have motivated many recent works in studying 
models of intruders in which the algebraic properties of the operators used in the protocols 
are taken into account flTl [HI [H [151 [13 [12] • In niost of these, the intruder's capability is 
usually given as a natural-deduction-like deductive system. As is common in natural deduc- 
tion, each constructor has a rule for introducing the constructor and one for eliminating the 
constructor. The elimination rule typically decomposes a term, reading the rule top-down: 
e.g., a typical elimination rule for a pair {M, N) of terms is: 

r h (M, A^) 

FhM 

Here, T denotes a set of terms, which represents the terms accumulated by the intruder 
over the course of its interaction with participants in a protocol. While a natural deduction 
formulation of deductive systems may seem "natural" and may reflect the meaning of the 
(logical) operators, it does not immediately give us a proof search strategy. Proof search 
means that we have to apply the rules bottom up, and as the above elimination rule demon- 
strates, this requires us to come up with a term A^ which might seem arbitrary. For a more 
complicated example, consider the following elimination rule for blind signatures |17 1 ll8 1 l6]. 

F h sign(blind(M, R),K) Th R 

Fhsign(M,A:) 

The basis for this rule is that the "unblinding" operation commutes with signature. Devising 
a proof search strategy in a natural deduction system containing this type of rule does not 
seem trivial. In most of the works mentioned above, in order to show the decidability results 
for the natural deduction system, one needs to prove that the system satisfies a notion of 
locality, i.e., in searching for a proof for F h M, one needs only to consider expressions which 
are made of subterms from F and M. In addition, one has to also deal with the complication 
that arises from the use of the algebraic properties of certain operators. 

In this work, we recast the intruder deduction problem as proof search in sequent 
calculus. A sequent calculus formulation of Dolev-Yao intruders was previously used by the 
first author in a formulation of open bisimulation for the spi-calculus [23j to prove certain 
results related to open bisimulation. The current work takes this idea further to include 
richer theories. Part of our motivation is to apply standard techniques, which have been well 
developed in the field of logic and proof theory, to the intruder deduction problem. In proof 
theory, sequent calculus is commonly considered a better calculus for studying proof search 
and decidability of logical systems, in comparison to natural deduction. This is partly due 
to the so-called "subformula" property (that is, the premise of every inference rule is made 
up of subterms of the conclusion of the rule), which in most cases entails the decidability 
of the deductive system. It is therefore rather curious that sequent calculus has not been 
more widely used in solving intruder deduction. Some early work by Millen and Shmatikov, 
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e.g., pD], appears to incorporate aspects of sequent calculus inference rules in their decision 
procedure for solving intruder deduction, but apart from this work, we are not aware of any 
systematic use of sequent calculus to solve the intruder deduction problem. It is important 
to note that we do not think that sequent calculus is a replacement for natural deduction 
as a specification framework; natural deduction is, naturally, a more intuitive framework to 
specify an intruder's ability. What we propose here is an alternative way to structure proof 
search, using known and widely used techniques from proof theory. 

We are mainly concerned with the ground intruder deduction problem (i.e., there are no 
variables in terms) under the class of AC-convergent theories. These are equational theories 
that can be turned into convergent rewrite systems, modulo associativity and commutativity 
of certain binary operators. Many important theories for intruder deduction fall into this 
category, e.g., theories for exclusive-or [TTl [8], Abelian groups [11], and more generally, 
certain classes of monoidal theories [12]. We shall also present a solution to the more 
difficult problem of deducibility constraint problems (see Section [6]), as a demonstration of 
feasibility of the sequent-based techniques, but only for a restricted model of the intruder. 

A summary of the main results we obtain: We show that the decidability of intruder 
deduction under AC-convergent theories can be reduced, in polynomial time, to elementary 
intruder deduction problems, which involve only the equational theories under considera- 
tion. We show that the intruder deduction problem for a combination of disjoint theories 
El,. . . ,En can be reduced, in polynomial time, to the elementary deduction problem for 
each theory Ei. This means that if the elementary deduction problem is decidable for each 
Ei, then the intruder deduction problem under the combined theory is also decidable. We 
note that these decidability results are not really new, although there are slight differences 
and improvements over the existing works (see Section [7]) . Our contribution is more of a 
methodological nature. We arrive at these results using rather standard proof theoretical 
techniques, e.g., cut- elimination and permutability of inference rules, in a uniform and sys- 
tematic way. In particular, we obtain locality of proof systems for intruder deduction, which 
is one of the main ingredients to decidability results in [HI [H [I5l [H] , for a wide range of 
theories that cover those studied in these works. Note that these works deal with a more 
difficult problem of deducibility constraints, which models active intruders. We have not 
yet covered this more general problem for the intruder models with AC convergent theories, 
although, as we mentioned above, we do show a sequent-based solution to a restricted model 
of intruders (without AC theories) . As future work, we plan to extend our approach to deal 
with active intruders under richer intruder models. 

The remainder of the paper is organised as follows. Section [2] presents two systems for 
intruder theories, one in natural deduction and the other in sequent calculus, and shows 
that the two systems are equivalent. In Section [3l the sequent system is shown to enjoy 
cut-elimination. In Section [H we show that cut-free sequent derivations can be transformed 
into a certain normal form. Using this result, we obtain another "linear" sequent system, 
from which the polynomial reducibility result follows. Section [5] shows that the sequent 
system in Section [2] can be extended straightforwardly to cover any combination of disjoint 
AC-convergent theories, and the same decidability results also hold for this extension. In 
Section[6]we show that the sequent-based techniques, in particular the normal form theorem, 
can be used to solve the more difficult problem of solving deducibility constraints for Dolev- 
Yao intruders, which do not involve any equational theories. The main results in Section [6l 
i.e., cut elimination and decision procedures for both intruder deduction and deducibility 
constraints, have been formally verified in Isabelle/HOL by the third author. 
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This paper is a revised and extended version of a conference paper ^24j. More specif- 
ically, we have added detailed proofs of the results stated in the conference version and a 
new section on the sequent-based approach to solving deducibility constraint problems for 
Dolev-Yao intruders. 

2. Intruder deduction under AC-convergent theories 

We consider in the following the problem of formalising, given a set of messages T and 
a message M, whether M can be synthesized from the messages in T. We shall write this 
judgment as F h M. This is sometimes called the 'ground reachability' problem or the 
'intruder deduction' problem in the literature. 

Messages are formed from names, variables and function symbols. We shall assume 
the following sets: a countably infinite set N of names ranged over by a, b, c, d, m and 
n; a countably infinite set V of variables ranged over by x, y and z; and a finite set 
^c = {pub, sign, blind, (_,_), {_}_} of symbols representing the constructors. Thus pub is 
a public key constructor, sign is a constructor representing public key signature, blind is 
the blinding encryption function (as in [El [l8l [6] ) , (_, _) is a pairing constructor, and {_}_ 
is the Dolev-Yao symmetric encryption function. Note that the choice of the constructors 
here is not the most exhaustive one, in the sense that it does not cover all commonly used 
Dolev-Yao types of constructors (e.g., hash, asymmetric encryption, etc.); we select a subset 
which we think is representative enough. Adding those extra constructors to our model is 
straightforward, and the main results of this paper should extend to these additions as well. 
Note also that for clarity of presentation, in presenting the deduction rules corresponding 
to the encryption or signing operators, we do not attempt to abstract them further, e.g., by 
presenting a generic form of rules that could account for both encryption and signing (as 
they both have a similar structure). 

In addition to constructors, we also assume a possibly empty equational theory E, whose 
signature is denoted with T^e- We require that Sc n T,e = 0a Function symbols (including 
constructors) are ranged over by /, g and h. The equational theory E may contain any 
number of associative-commutative function symbols, obeying the standard associative and 
commutative laws. However, for clarity of exposition, in this section, we shall restrict E 
to contain at most one associative-commutative symbol, which we denote with ©. Later 
in Section \5\ we shall consider the more general case where the equational theory E can 
contain an arbitrary number of AC symbols. In any case, we restrict ourselves to equational 
theories which can be represented by terminating and confluent rewrite systems, modulo 
the associativity and commutativity of ©. We consider the set of messages generated by the 
following grammar 

M,N := a\x\ pub(M) [ sign(M,iV) | blind(M,iV) 
\{M,N) I{M}jvI/(Mi,...,Mfc) 

where / € T,e- The operational meaning of each constructor will be defined by their corre- 
sponding inference rules. Here we give an intuitive explanation for each constructor. Note 
that the language of messages as given above is untyped, but in the following explanation, it 
is helpful to draw analogy from practices in security protocol analysis to distinguish certain 
types of messages such as (public/private) keys, names, etc. The message pub(M) denotes 
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less, it still covers a wide range of intruder theories. 



A PROOF THEORETIC ANALYSIS OF INTRUDER THEORIES * 



the public key generated from a private key M; sign(M, A^) denotes a message M signed 
with a private key N; blind(M, A^) denotes a message M encrypted with N using a special 
blinding encryption; (M, A'') denotes a pair of messages; and {MJat denotes a message M 
encrypted with a key N using Dolev-Yao symmetric encryption. The blinding encryption 
has a special property that it commutes with the sign operation, i.e., one can "unblind" a 
signed blinded message sign(blind(Af, r), A;) using the blinding key r to obtain sign(M, /c). 
This aspect of the blinding encryption is reflected in its elimination rules, as we shall see 
later. We denote with V{M) the set of variables occurring in M. A message M is ground 
if V{M) = 0. In the following, we shall be mostly concerned with ground terms, so un- 
less stated otherwise, we assume implicitly that messages are ground. The only exception 
is Proposition 13.61 and Proposition 13.71 and Section [6] where non-ground messages are also 
considered. 

We shall use several notions of equality so we distinguish them using the following 
notation: we shall write M = A'^ to denote syntactic equality, M = A^ to denote equality 
modulo associativity and commutativity (AC) of ©, and M !^t ^ to denote equality 
modulo a given equational theory T. We shall sometimes omit the subscript in ^t if it can 
be inferred from context. 

Remark 2.1. Note that there is a choice on what function symbols one can regard as 
constructors and what one can put into the equational theory. At one extreme, we can 
consider all function symbols as part of the equational theory, e.g., by introducing one or 
more "destructor" functions for each constructor, and capture the intended meaning of each 
constructor via equations. For example, for symmetric encryption, one could introduce a 
decryption operator dec satisfying: 

dec{{M}N,N) ^M, 

and for pairing, one could introduce the standard projection functions: 

7ri((M, A^)) ^ M and tt2{{M,N)) pa A^. 

However, incorporating all function symbols into the equational theory in this manner 
means that we lose the benefit of sequent calculus in analysing the structures of deduction, 
as equational theories are less constrained than inference rules as far as proof search is con- 
cerned. Ideally, one would want to push all function symbols into the inference system, but 
there appears to be no easy way to accomodate the associative-commutative symbols. The 
set of constructors that we can accomodate in the inference system is obviously larger than 
the one we consider here. Essentially, all equations that involve constructor-destructor pairs 
that obey simple equations, like the ones for pairing above, can be turned into appropriate 
introduction and elimination rules (in natural deduction) for the constructors. We leave as 
future work the exact characterisations of the equational theories that can be absorbed into 
inference rules. 

Given an equational theory E, we denote with Re the set of rewrite rules for E (modulo 
AC). We write M -^r^ N when M rewrites (modulo AC) to A^ using one application of 
a rewrite rule in Re- The definition of rewriting modulo AC is standard and is omitted 
here (see, e.g., [1] for a definition). We recall one assumption about variables in rewrite 
rules that will be used explicitly in some proofs in the following section: if s -^r^ t is a 
rewrite rule, then the variables in t must occur in s. The reflexive-transitive closure of -^r^ 
is denoted with -^*j^ . We shall often remove the subscript Re when no confusion arises. A 
term M is in E-normal form if M -/^r^ N for any A^. We write M],e to denote the normal 
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form of M with respect to the rewrite system Re, modulo commutativity and associativity 
of ©. Again, the index E is often omitted when it is clear which equational theory we refer 
to. This notation extends straightforwardly to sets, e.g., T\, denotes the set obtained by 
normalising all the elements of T. 

A term M is said to be headed by a symbol / if M = /(Mi, . . . , M^). A term M is 
an E-alien term if M is headed by a symbol / ^ T,e- It is a pure E-term if it contains 
only symbols from S^;, names and variables. A term M is a proper suhterm of A^ if M is a 
subterm of A^ and M ^ N. Given a term M = /(Mi, . . . , M^), where / is a constructor or 
a function symbol, the terms Mi, . . . , M^ are called the immediate suhterms of M. 

An i?-alien subterm M of A^ is said to be an E-factor of A^ if there is another subterm 
F oi N such that M is an immediate subterm of F and F is headed by a symbol / G 'Se- 
This notion of a factor of a term is generalised to sets of terms in the obvious way: a term 
M is an i?- factor of T if it is an i?- factor of a term in T. 

Example 2.2. The term M = d © ((c, (a, 6))) has only one E'- factor: (c, {a,b)). Note that 
(a, b) is not an i?-factor of M, since no subterm of M containing (a, b) as its immediate 
subterm is headed by a symbol from T,e- The subterm d is not an i?- factor of M either, 
since it is not an £^-alien term. 

A context is a term with holes. We denote with C^[] a context with A;-hole(s). When 
the number k is not important or can be inferred from context, we shall write C[. . .] in- 
stead. Viewing a context C^[] as a tree, each hole in the context occupies a unique position 
among the leaves of the tree. We say that a hole occurrence is the i-th hole of the con- 
text C^W if it is the i-th hole encountered in an inorder traversal of the tree representing 
C^'W- An i?-context is a context formed using only the function symbols in T^e- We write 
C[Mi, . . . , Mfc] to denote the term resulting from replacing the holes in the A;-hole context 
C''W with Ml, . . . , Mfc, where Mj occupies the i-th hole in C'^Q. 

Natural deduction and sequent systems. The standard formulation of the judgment F h M 
is usually given in terms of a natural-deduction style inference system, as shown in Figured) 
We shall refer to this proof system as M and write F \\-j^ M if F h M is derivable in M. The 
deduction rules for Dolev-Yao encryption are standard and can be found in the literature, 
e.g., [H]- The blind signature rules are taken from the formulation given by Bernat and 
Comon-Lundh [6]. Note that the rule sign^ assumes implicitly that signing a message hides 
its contents. An alternative rule without this assumption would be 

Fhsign(M,A:) 

FhM 

The results of the paper also hold, with minor modifications, if we adopt this rule. 

A sequent F h M is in normal form if M and all the terms in F are in normal form. 
Unless stated otherwise, in the following we assume that sequents are in normal form. The 
sequent system for intruder deduction, under the equational theory E, is given in Figure [2j 
We refer to this sequent system as S and write F II-5 M to denote the fact that the sequent 
F h M is derivable in S. 

Unlike natural deduction rules, sequent rules also allow introduction of terms on the 
left hand side of the sequent. The rules pL-, &L-, sign^,, blindii, blindL2) and acat are called 
left introduction rules (or simply left rules), and the rules pfi,efi, sign j^,b\\ndR are called 
right introduction rules (or simply, right rules). Notice that the rule acut is very similar 
to cut, except that we have the proviso that A is an £■- factor of the messages in the lower 
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rh(M,JV) rh(M,JV) rhM rhiv 

rhM r h iv r h (M, iv) 



VI 



rhsign(M,i^) rhpub(K) . rhM vvk ._ 

fhM ^'^"^ rhsign(M,i^) ^'^"^ 

rhbiind(M,i^) ThK rhM rhj^ , , , 

fhM '^''"^^^ rhblind(M,i^) ^''"^^ 



rh 



sign(blind(M,i?),K) T h i? 

T- u ■ — /a^ 7^\ blind£;2 

r h sign(M, a) 



rhMi---rhM„, , „^ rhiv 

rh/(M„...,M„) ^^' "^^^^ ^ " ^^ Fpf -' -^-^ ^ -- ^ 

Figure 1: System M: a natural deduction system for intruder deduction 

M«sC[Mi,...,Mfc] 
C[ ] an E^-context, and Mi, ...,M},^V rhMr,MhT 

rhM ^"^ r h T ^^^ 

T,{M,N),M,N^T rhM T h iV „^ 

r, (M, AT) h T r h (M, N) 

T,{M}k^K T,{M}k,M,K^N ^ rhM_xh^e 

r,{M},^hiv ""^ rh{M};^ """^ 

r,sign(M,K),pub(L),MhiV . T h M T h i^ ■ 

; ^ -, — sigrir , K = L ; Sign p 

r,sign(M,i^),pub(L) hiV ^ ^' rhsign(M,K) ^^ 

r,h\\nd{M,K)hK r,b\\nd{M,K),M,KhN p^M T h K ^,. ^ 

r,blind(M,i^)hiV ^''"^^^ rhblind(M,i^) '"''"^^ 

r,sign(blind(M,i?),i^) hi? r,sign(blind(M, i?),i^),sign(M,i^), i? h A^ 

r,sign(blind(M,i?),K)hAf ^''"^^^ 

r h yi r A h M 

' actit, A is an £^-factor of F U {M} 

Figure 2: System 5: a sequent system for intruder deduction. 

sequent. This is sometimes called analytic cut in the proof theory literature. Analytic cuts 
are not problematic as far as proof search is concerned, since they still obey the sub-formula 
property. 
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We need the rule acut because we do not have introduction rules for function symbols 
in S^;, in contrast to natural deduction. This rule is needed to "abstract" i?- factors in a 
sequent (in the sense of the variable abstraction technique common in unification theory, 
see e.g., [22l[5]), which is needed to prove that the cut rule is redundant. For example, let 
S be a theory containing only the associativity and the commutativity axioms for ©. Then 
the sequent a,b\- {a, b) (B a should be derivable without cut. Apart from the acut rule, the 
only other way to derive this is by using the id rule. However, id is not applicable, since no 
S-context C[...] can obey C[a, 6] « (a, 6) ©a because ii^-contexts can contain only symbols 
from 'Ee and thus cannot contain (., .). Therefore we need to abstract the term (a, b) in the 
right hand side, via the acut rule: 

id — n — r id 



a,b\- a a,b\- b 

— ■ PR id 

a,b\- {a, b) a, b, {a, b) h (a, b) ® a 

a,b\- [a, b) (B a 

The third id rule instance (from the left) is valid because we have C[{a, b),a] = (a, b) © a, 
where C[.,.] = [.] © [.]. 

Derivability in the natural deduction system and in the sequent system are related via 
the standard translation, i.e., right rules in sequent calculus correspond to introduction rules 
in natural deduction and left rules correspond to elimination rules. The straightforward 
translation from natural deduction to sequent calculus uses the cut rule. 

Remark 2.3. Notice that the left rule for signing in the sequent calculus (sign^) and the left 
rule for symmetric encryption (e^) have different forms, although in the natural deduction 
system, their elimination rules are more or less the same. We could indeed use the following 
alternative left-rule for sign^: 

r,s\gn{M,K)hpub{K) r,5\gn{M,K),M,puh{K) h N . , 

r,sign(M,K),hiV ^'^"^ 

It could be shown that sigrij;^ and sign^ are equivalent. We prefer the former since it has a 
'nicer' form in that it satisfies the subformula property. Notice also that in sigrij;^, we need 
the proviso K = L because in the sequent rules, we do not quotient terms modulo AC. 

In the following, given a derivation 11, we denote with |n| the height of 11, i.e., the 
length of the longest branch in 11. 

Lemma 2.4 (Weakening). Let H be a derivation, in S, ofT\- M. IfTQT', then there 
exists an S-derivation U' ofT'\-M such that |n| = [n'[. 

Proof. By induction on |n|. □ 

Lemma 2.5. // the judgment T \- M is derivable in the natural deduction system J\f then 
T^\- M^ is derivable in the sequent system S. 

Proof. Let 11 be a natural deduction derivation of T h M. We construct a sequent derivation 
n' of rih M], by induction on |n|. The id rule translates to the id rule in sequent calculus; 
the introduction rules for constructors translate to the right-rules for the same constructors. 
If n ends with the ~-rule, then the premise and the conclusion of the rules translate to 
the same sequent, hence 11' is constructed by induction hypothesis. It remains to show the 
translations for the elimination rules and rules concerning / S Tie. 
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Suppose n ends with //, for some / € Sg: 

Hi Hfc 

r h Ml • • • r h Mfc 



// 



rh/(Mi,...,Mfc) 

By induction hypothesis, we have sequent derivations H^ of F J, h Mi \. , for each i G 
{l,...,/c}. Lemma \2A\ applied to the 11^, gives us another sequent derivation 11^' of 

rj, , Ml 4, , . . . , Mj_i4, h MjJ, . We note that the sequent 

r|,Mii,...,Mfc|h/(Mi,...,M,,)i 

is derivable in the sequent system S by an application of the id-rule since C[] = /(...) 
is an S-context. The derivation 11' is then constructed by successive applications of the 
cut rule to this sequent with H^, . . . jH'/, where the i-th cut eliminates Mi\. from the 
conclusion by using the derivation li'l of FJ, , Mi\. ,... , Mj_i| h M4 . 
Suppose n ends with pE : 

ni id 

F h (M, N) n,{Mi,Ni),Mi,Nih Mj " 

FhM ^^ r; ,{Mi,Ni)h Mi ^^ 

Note that {M,N)i= (M|, A^l) and that the sequent F|, (Mi,iV|) h M| is derivable 
in the sequent calculus S (using an id rule followed by a pi,-rule), as shown above right. 
By the induction hypothesis, we have a sequent derivation Il[ of F|l- (MJ,, A''|), and so 
we can use the cut rule to get a sequent derivation of FJ, h MJ, . 
Suppose n ends with be '■ 

Bi B2 

F h {M}n Th N 

i^ CE 

FhM 
By the induction hypothesis, we have a sequent derivation Il[ of FJ,!- {M4,}j\^ and a 
sequent derivation B2 of FJ, h A^| . By Lemma 12.41 we have a derivation JI3 of FJ, , {M| 
JAii, l~ -^i) where iHsl = |n2|. We construct a sequent derivation for the sequent 

n,{Mi}Ni,NihMl 

by an application of cl, followed by two applications of id (read upwards). Then U' is 
constructed by applying the cut rule to this sequent using II3 and Il[ . 
Suppose n ends with sign^: 

Bi B2 

Fhsign(M,i^) Thpub(K) 

FhM ^'^"^ 

By induction hypothesis, we have a sequent derivation B'^^ and a sequent derivation B2 
of, respectively, 

rihs\gn(Mi,Ki) and Fih pub(i^i). 



Let B2 be a derivation of 



F;,sign(Mi,Ki) h pub(Ki) 
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obtained by an application of Lemma 12.41 to 112. Let lis be the derivation 

Tj ,s\gn{Ml , Kl),pub{Kl), Mjh Mj ^'^ 

ri,sign(Mi,Ki),pub(Ki) hm; ^'^"^ 

Then 11' is constructed by successive applications of cut with 112 ^^^ *^^^ with H'^ to Yi^. 

• The cases where 11 ends with blind^i is analogous to the case with ce- 

• Suppose n ends with blind£;2: 

ni Ha 

rhsign(blind(M,fl),K) T^R 

rhsign(M,K) ^^''"^^2 

By induction hypothesis, we have a derivation 11'^ and a derivation 112 o^' respectively, 

r^h sign(blind(M4, i4),i^4) and Tih i^ . 

Let Ha be the derivation 

n" 

...hV ...,s^gn{Mi,Ki),RX^s^gn{Mi,Ki) '^ 
r|,sign(blind(Afi,i4),Ki) hsign(Mi,Ki) '" " 

where Hg is obtained from H'2 by weakening the sequent with 

sign(blind(M4,i4),i^4). 

Then the derivation H' is constructed by a cut between H'^ and Hs. □ 

For the case where the equational theory is empty, we conjecture that the translation from 
natural deduction derivations to sequent calculus derivations (with cuts) can be done in 
polynomial time, as there are no duplication of derivation trees needed in the translation. 
Note that in the translation, one needs to apply the weakening lemma to weaken certain 
derivations, but this can be done in linear time. Note also that in the translation of elimi- 
nation rules, the cut rule is used to compose the inductively translated derivations with new 
derivations. But the latter are all derivations of bounded sizes (i.e., bounded by the size 
of the original sequent), hence they can also be constructed in linear time, and the overall 
complexity would still be bounded by polynomial time. 

Lemma 2.6. IfT\- M , where T U {M} is a set of terms in normal form, is derivable in 
the sequent system S then T h M is derivable in the natural deduction system N . 

Proof. Let H be a sequent derivation of L h M. We construct a natural deduction derivation 
n' of r h M by induction on n. 

• The right-introduction rules for S map to the same introduction rules in N . When H 
ends with such a rule, H' in this case is constructed straightforwardly from the induction 
hypothesis using the introduction rules of TV. 

• If n ends with an id rule, i.e., M « C[Mi, . . . , M^], for some Mi, . . . , M^ G L and ^- 
context C[..], we construct a derivation Hi of F h C[Mi,...,Mfc] by induction on the 
context C[. . .]. This is easily done using the // introduction rule in M. The derivation H' 
is then constructed from Hi by an application of the ~-rule. 
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Suppose T = T' U {{U,V)} and 11 ends with pL : 

Hi 

T',{U,V),U,Vh M 
— LJ_J — Ll — l pj^ 

T', {u, y) h M 

By induction hypothesis, we have an A/'-derivation 11'^ of V, {U, V),U,V h M. We want an 
A/'-derivation 11' of T', {U, V) \- M instead. The TV-derivation 11' is constructed inductively 
from n'^ by copying the same rule applications in 11'^, except when H'l is either 

r,u,vhu ^^ or r,u,vhv ^^ 

in which case, 11' is 



r h {u, v)'"^ r h {u, V) '"^ 

-— — - Pe -— — - Pe 

ThU and ThV 

respectively, since {U,V) G F. 

Suppose r = r' U {{^}y} and 11 ends with e^ : 

Hi U2 

T\-V T,U,V\- M 

T',{U}v^M '''' 

By induction hypothesis, we have an A/'-derivation n'^^ of T \- V and an A/'-derivation 112 
ofT,U,V \- M. The A/'-derivation 11' of F h M is then constructed inductively from 112 
by applying the same rules as in n'2, except when 112 i^ either 

T,U,VhU *^ or T,U,VhV *^ 
In the first case, 11' is 

. , n'l 

r h {u}v Thv 

^^ — eg 

ThU 

and in the second case 11' is simply Il[. 

Suppose r = r' U {sign(A^, K), pub(L)} and 11 ends with sign^: 

Hi 

r', sign(Af, i^), pub(L), A^ h M 

r',sign(Af,i^),pub(L) h M ^'^"^ 

where L = K (hence L ~ K). By induction hypothesis, we have an A/'-derivation Il'i of 

r', sign(iV, K), pub(L), TV h M. 

As in the previous case, the A/'-derivation 11' of F h M is constructed by imitating the 
rules of Il'i, except for the following id case: 

F',sign(iV,K),pub(L),iVhiV ^^ 
which is replaced by 

F',sign(Af,i^),pub(L) h pub(L) *^ 
id 



r',s\gn{N,K),pub{L)hs\gn{N,K) F',sign(iV, K), pub(L) h pub(K) . 

F',sign(Af,i^),pub(L) h N ^'^"^ 

The case where FT ends with blind^i is similar to the case with ei. 
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Suppose r = r' U {sign(blind(iV,i?),/s:)} and 11 ends with blindL2: 

Hi Hs 

r\-R T,5\gr){N,K),R\- M 

r',5\gn{b\\nd{N,R),K)hM ^''"^^^ 

Similarly to the previous case, we apply the induction hypothesis to both Hi and 112, 
obtaining H'l and IIj . The derivation 11' is constructed by imitating the rules of Ilg , but 
with the following id instances 

id —, — : — ,^r ^^\ -r^ I — ;^ id 



r', sign(A^, K), R h sign(A^, K) T, sign(A^, K),Rh R 

replaced, respectively, by 



id 



n'l 



rhsign(blind(iV,i?),i^) T h i? n' 

rhsign(iV,K) and T h R. 

• Suppose n ends with acut: 

Hi Ha 

T^A r,y4hM 

r h M "'^^^ 

By induction hypothesis, we have an A/'-derivation li'^ of F h ^ and an AA-derivation Ilg 
of r, j4 h M. Again, as in the previous cases, we construct 11' inductively, on the height 
of Ilg, by imitating the rules in 112, except when 112 ends with an instance of id of the 
form 

t^aFa '"^ 

in which case, 11' is 11']^. 

• Suppose n ends with cut: this case is handled similarly to the previous case. □ 

Proposition 2.7. The judgment T \- M is derivable in the natural deduction system M if 
and only ifV]^\- MJ, is derivable in the sequent system S. 

Proof. Immediate from Lemma 12.51 and Lemma 12.61 □ 

3. Cut elimination for S 

We now show that the cut rule is redundant for S. 

Definition 3.1. An inference rule R m. a proof system V is admissible for V if for every 
sequent T \- M derivable in D, there is a derivation of the same sequent in T) without 
instances of R. 

The cut- elimination theorem for S states that the cut rule is admissible for S. Before we 
proceed with the main cut elimination proof, we first prove a basic property of equational 
theories and rewrite systems, which is concerned with a technique called variable abstraction 
[221 [5]. 
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3.1. Variable abstraction. Given a normal term M, the size \M\ of M is the number of 
function symbols, names and variables appearing in M. 

In the following, we consider slightly more general equational theories than in the 
previous section: each AC theory E can be a theory obtained from a disjoint combination 
of AC theories Ei, . . . ,£)., where each Ei has at most one AC operator ©j. This is so that 
we can reuse the results concerning variable abstraction for a more general case later in 
Section [5l 

Definition 3.2. Let E he a disjoint combination of AC convergent theories Ei, . . . , En- A 
term M is a quasi-Ei term if every £'j-alien subterm of M is in i?-normal form. 

Example 3.3. Let E = {h{x,x) ~ x}. Then h{{a,b),c) is a quasi- i? term, whereas 
h({a, b), {h{a, a), b)) is not, since its E-a\ien subterm {h{a, a), b) is not in its £^-normal form 
(a, 6). Obviously, any E normal term is a quasi- -Ej term. 

In the following, given an equational theory E, we assume the existence of a function 
ve, which assigns a variable from V to each ground term such that ve{M) = ve{N) if and 
only if M ~£; N. In other words, ve assigns a unique variable to each equivalence class of 
ground terms induced by ^e ■ 

Definition 3.4. Let E be an equational theory obtained by disjoint combination of AC 
theories Ei, . . . , En- The Ei abstraction function Fe^ is a function mapping ground terms 
to pure Ei terms, defined recursively as follows: 

{li, if u is a name, 

f{FE,{ui),...,FE,iuk)), ifu = f{ui,...,Uk) and f eT.E,, 
ve{u), otherwise. 

It can be easily shown that the function Fe^ preserves the equivalence relation =. That 
is, if M = N then Fe, (M) = Fe, (N) . 

Lemma 3.5. Let E be a disjoint combination of AC theories Ei, . . . ,En- Let M be a 
quasi-Ei term. If M -^r^ N then N is also a quasi-Ei term and FE^iM) —^r^ Fg;. (A^). 

Proof. By induction on the structure of M: 

• If M is a name then the lemma holds vacuously. 

• Suppose M = /(ui, . . . ,tifc), where / € S^;. . There are two cases to consider: 

— The redex is in Uj. This case follows straightforwardly from the induction hypothesis 
and the definition of Fe^ ■ 

— The redex is M. Then there must be a rewrite rule in Re of the form 

C[Xi, . . . ,Xn\ — >■ C [Xi, . . . , Xn\ 

where C[..] and C'[..] are £'j-context, such that 

M = {C[xi,...,xi])a and N = {C'[xi, . . . ,xi])a 

for some substitution a. Note that since M is a quasi- -Ej term, it follows that each XjO" 
is also a quasi- i?j term. Hence A^ must also be a quasi- -Ej term. From the definition 
of Fe^ , we have the following equality (we abbreviate Fe^ as F) : 

F{M) =F{C[xi,...,xi]a) 

= C[F{xicj),...,F{xia)] 
= C[xi,...,xi]a' 
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where a' is the substitution {F(x\(j)lx\^ . . . , F(a;;o")/x/}. Similarly, we can show that 

F{N) = C"[xi, . . . ,x/]<7'. Therefore, we have F{M) ^r^ F{N). 

• Suppose M = g{ui, . . . , Uk) and g S^;. . Then M is an £^j-alien subterm of M, and since 

M is a quasi- £"4 term, M must be in i?-normal form. Therefore no reduction is possible, 

hence the lemma holds vacuously. □ 

Proposition 3.6. Let E be a disjoint combination of Ei,. . . ,En- If M is a quasi-Ei term 
and M — >|j^ N, then N is a quasi-Ei term and Fe.(M) — ^|j^ FE^iN). 

Proof. This follows directly from Lemma 13.51 □ 

Proposition 3.7. Let E be a disjoint combination of Ei, . . . ,En. If M and N are quasi-Ei 
terms and Fe,{M) -^\^ Fe,{N), then M ^*^^ N. 

Proof. It is enough to show that this holds for the one-step rewrite FE^iM) —^r^ Fg;. (A^). 
This can be done by induction on the structure of M. In particular, we need to show that a 
rewrite rule that applies to Fg;. (M) also applies to M. Let xi, . . . , x^ be the free variables in 
FEi{M). Let Ml, . . . , Mk be normal i?-terms such that ve{Mj) = Xj for each j € {1, . . . , k}, 
and 

a = {Mi/xu...,Mk/xk}. 
Then we can show by induction on the structure of M and A^, and using the fact that they 
are quasi- £'j terms, that 

FE,{M)a = M and FE,{N)a = N. 

Note that for any rewrite rule in a rewrite system, by definition, we have that all the 
variables free in the right-hand side of the rule are also free in the left-hand side. Hence, 
the free variables of Fe^ (N) are among the free variables in Fe^ (M) since they are related 
by rewriting. 

Now suppose there is a rewrite rule in Re 

C[yi,...,yi] -^ C'[yi,...,yi] 

where C[..] and C'[..] are £'j-contexts, such that FE^iM) = C[yi, . . . ,yi]9 and Fe.(A^) = 
C'[yi, . . . , yi]0, for some substitution 6. Then we have 

M = Fe, {M)a = (C[yi, . . . , yi]9)a = C[yi, ...,yi]{doa) 

and 

N ^ FE,iN)a = (C'[yi, . . .,yi]e)a ^ C'[yi, . . .,yi]{0 o a). 
Hence we also have M ^r^ N. D 

3.2. Cut elimination. We now show some important proof transformations needed to 
prove cut elimination, i.e., in an inductive argument to reduce the size of cut terms. In the 
following, when we write that a sequent F h M is derivable, we mean that it is derivable 
in the proof system S, with a fixed AC theory E. Note that here the equational theory E 
contains at most one AC symbol. 

Lemma 3.8. Let U be a derivation of Mi, . . . , M^ \~ N. Then for any M[, . . . , M^ and 
N' such that Mi = M[ and N = N' , there is a derivation H' of M[, . . . ^M^^ N' such that 

|n| = |n'|. 

Proof. By induction on |n|. □ 
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Lemma 3.9. Let X and Y he terms in normal form and let f he a binary constructor. If 
T, f{X,Y) \- M is cut-free derivahle, then T,X,Y \- M has a cut-free derivation. 

Proof. Let 11 be a cut-free derivation of P, f{X, Y) h M. We construct a cut-free derivation 
n' ofT,X,Y\-M by induction on \f{X, Y)\ with subinduction on |n|. The only non-trivial 
cases are when 11 ends with blindL2) acting on f(X,Y), and when 11 ends with id and 
f{X,Y) is used in the rule. We examine these cases in more detail below. 

• Suppose n ends with blindL2, acting on f{X,Y), i.e., / = sign and X = blind(iV, i2): 

Hi Ha 

r,sign(blind(A^,ii),y) hi? r,sign(blind(A^,i?), y),sign(iV, F), i? h M 

T,5\gnib\[nd{N,R),Y)hM ^''"^^^ 

Applying the inner induction hypothesis on derivation height to Hi and II2 we obtain two 
derivations Il[ and 112 ^^ 

T,b\md{N,R),Yh R and T,b\md{N,R),Y,s\gn{N,Y),Rh M 

Next we apply the outer induction hypothesis on the size of f{X,Y) to decompose 
sign(A'^, y) in the latter sequent to get a derivation 112 °f 

TT" 

T,h\\nd{N,R),N,Y,R\- M 

The derivation 11' is constructed as follows: 

r, blind(iV, R),Y\- R T, blind(A^, R), N,Y,R\- M 

r,biind(iv,ii),yhM ^''"^^1 

• Suppose n ends with id. The only non-trivial case is when f{X, Y) is active in the rule, 
that is, we have 

M^C[f{X,Yr,Mi,...,Mk] 
where Mi,...,Mfc G T, C[. . .] is an S-context and f{X,Y) fills n-holes in C[. ..]. We 
distinguish several cases: 

— There is an ii^-factor A of MUL such that f{X, Y) = A. Note that in this case A must 
be of the form f{X', Y') for some X' = X and Y' = Y. In this case, 11' is constructed 
as follows: ^ 

r, X, Y h7(X', Y') T,X,Y,f{X',Y') hM ^^ 

T,X,Yh M "^""^ 

where H is a derivation formed using id and the right rules for the constructor /. 

— Suppose that there is no iiJ- factor yl of Af U F such that A = f{X, Y). Note that since 
M is in normal form, we have 

C[f{X,Yr,Mi,...,Mk]^*M 

and both C[f{X, y)". Mi, ... , Mk] and M are quasi-S terms. 
Let X = v(f{X,Y)). It follows from Proposition 13.61 that 

FE{C[fiX,Yr,Mi, ...,Mk]) = C[x";Fe{M,), . . .,FEm)] ^* Fe{M). 

Since no factors of M and Mi, . . . , M^ are equivalent to f{X, y), x obviously does not 
appear in any of Fe(M), Fe{Mi), . . . , FE{Mk). Now let a be a name that does not 



16 A. TIU, R. GORE, AND J. DAWSON 

occur in r, X, y or M. Since rewriting is invariant under variable/name substitution, 
by substituting a for x in the above sequence of rewrites, we have 

F£;(C7[a",Mi, . . . ,Mfc]) = C[a^,FE{M,), . . .,FE{Mk)] ^* Fe{M). 

Now by Proposition 13.71 we have 

C[a",Mi,...,Mfc]^*M. 

By substituting X for a in this sequence, we have 

Thus, in this case, 11' is constructed by an apphcation of id. □ 

Lemma 3.10. Let Xi, . . . ,Xk he terms in normal form and let Yi he a cut-free derivation 
of T, f[Xi,. . . ,Xk)\.\~ M, where f G Tie- Then there exists a cut-free derivation H' of 

r,Xi,...,x,, hM. 

Proof. By induction on |n|. The cases where 11 ends with id, or rules in which f{Xi, . . . , X^)], 
is not principal, are trivial. The other cases, where H ends with a rule applied to the term 
f{Xi, . . . , Xi^)l , are given in the following. 

• Suppose n ends with p^ on f{Xi, . . . ,Xk)-l . This means that f{Xi, . . . ,Xk)i is a pair 
{U, V) for some U and V, and H is 

r,{U,V)JJ,V^M 

^ — ■ PL 

r,{u,v)hM 

We have that 

f{Xi,...,Xk)^* {U,V). 
Let X = Fe{{U,V)). By Proposition 13.61 we have 

f{FE{Xi,),...,FE{Xk))^*x. 

Obviously, x has to occur in FE{Xi) for some Xi. Without loss of generality, assume that 
i = 1. This means that there exists an E'-alien subterm A of Xi such that A = {U',V') 
and U = U' and V = V' . There are two cases to consider. 
— A is a factor of X-i . Then H' is the derivation: 



id 



Hi 



r,Xi,...,Xkh{u',v') ^" r,x,,...,Xk,{u',v')^M 

r,Xi,...,XfchM "^""^ 

The instance of id above is valid since ([/', V) = {U, V) ~ f{Xi, . . . ,Xfc). The deriva- 
tion Hi is obtained by weakening 11 with Xi,...,Xfc and applying Lemma 13.81 to 
replace {U,V) with its equivalent {U',V'). 

A is not a factor of Xi . This can only mean that either Xi = Aor that every occurrence 
of A in Xi is as immediate subterm of another E'-alien subterm. The latter would mean 
that A would not be abstracted by Fe^ at all, contradicting the assumption that it is. 
So it must be the case that Xi = A. Then 11' is the derivation 

T,{U',V'),U'X,X2,...,XkhM 

r,(c/',F'),X2,...,XfchM '' 
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where H' is obtained by weakening H with X2, . . . , X^, and then applying Lemma 
to replace U and V with their equivalent U' and V' . 

The cases where /(^i, . . . , ^fc)i is headed with some other constructor are proved anal 

ogously. 

Suppose n ends with acut which abstracts an ii^-factor of f{Xi, . . . , Xfc)J, : 

Hi n2 

r' h ^ r', A h M 

acut 



TJ{X^,...,Xk)ihM 

where A is an £'-factor of f{Xi, . . . , X^)! and F' = F U {f{Xi, . . . , X^)! }. In this case, 
we have that 

f{Xu...,Xk)i=C[g{...,A,...)] 

for some context C[] and some g G T,e- By Proposition 13. 6| we have 

f{FE{Xi,), ..., FE{Xk)) ^* FE{C[g{. ..,A,... )]). 

We have a couple of cases to analyse, depending on whether that particular occurrence 
of A is abstracted by Fg or not (i.e., ii g{. . . ,A, . . .) is nested inside another S-alien 
subterm). In both cases, it can be shown that there exist A' = A and some Xi such that 
either A' = Xi or A' is an £^- factor of Xi. For the latter case, 11' is constructed as follows: 

n'l n'2 

r"hA' r",A'hM 

F,Xi,...,XfchM "'^'** 

where F" = F U {Xi, . . . ,Xi.} and 11'^^ and Ilg are obtained by applying the induction 
hypothesis on Hi and 112, followed by applications of Lemma 13.81 to replace A with its 
equivalent A'. If Xi = A' then FT' is obtained by weakening 112 with X2, ■ ■ ■ , X^, followed 
by an application of Lemma 13.81 to replace A with A'. □ 

Lemma 3.11. Let Mi, . . . , M^ be terms in normal form and let C[. . .] be a k-hole E-context. 
If F, C[Mi ,..., Mkll \- M is cut-free derivable, then so is F, Mi , . . . , M^ h M. 

Proof. By induction on the size of C[. . .], Lemma 13.81 and Lemma l3.10i □ 

One peculiar aspect of the sequent system S is that in the introduction rules for encryp- 
tion functions (including blind signatures), there is no switch of polarities for the encryption 
key. For example, in the introduction rules for {AI}k, on both the left and the right, the 
key K appears on the right hand side of a premise of the rule. This means that there is no 
exchange of information between the left and the right hand side of sequents, unlike typical 
implication rules in logic. This gives rise to an easy cut elimination proof, where we need 
only to measure the complexity of the left premise of a cut in determining the cut rank. 

Theorem 3.12. The cut rule is admissible for S. 

Proof. We give a set of transformation rules for derivations ending with cuts and show that 
given any derivation, there is a sequence of reductions that applies to this derivation, and 
terminates with a cut free derivation with the same end sequent. This is proved by induction 
on the height of the left premise derivation immediately above the cut rule. This measure 
is called the cut rank. As usual in cut elimination, we proceed by eliminating the topmost 
instances of cut with the highest rank. So in the following, we suppose a given derivation 
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n ending with a cut rule, which is the only cut in 11, and then show how to transform this 
to a cut free derivation H'. 

The cut reduction is driven by the left premise derivation of the cut. We distinguish 
several cases, based on the last rule of the left premise derivation. 

(1) Suppose the left premise of 11 ends with either pR, cr, sign^ or blind_R, thus 11 is 

Hi Ha 

r\- M T\- N Hg 

rh /(M,jv) ^ r,fiM,N)hR 

where / is a constructor and p is its right introduction rule. By Lemma l3.9| we have a 
cut free derivation Ilg of T,M,N h R. By applying Lemma 12.41 to 112, we also have a 
cut-free derivation Ilg of F, M h A^ such that |n2| = iHg]. The above cut is then reduced 
to 

n^ r, M h iv r,M,Nh R 
tTr ^'^^ 

These two cuts can then be eliminated by induction hypothesis since their left premises 
are of smaller height than the left premise of 11. 

(2) Suppose the left premise of the cut ends with a left rule acting on T. We show here the 
case where the left-rule has only one premise; generalisation to the other case (with two 
premises) is straightforward. Therefore 11 is of the form: 

Hi 

T'hM Hs 

T\- M T,M\- R 

tVr ^^^ 

By inspection of the inference rules in Figure [21 it is clear that in the rule p above, 
we have F C F'. We can therefore weaken 112 to a derivation 112 of T',M \- R with 
|n2| = [Flgl. The cut is then reduced as follows. 

Hi U2 

F'hM T',M\-R 

T'^R, ^^^ 

Fhi? 

The cut rule above p can be eliminated by induction hypothesis, the height of the left 
premise of the cut is smaller than that of the left premise of the original cut. 

(3) Suppose the left premise of the cut ends with acut, but using an E'-factor of the right 
hand side of the sequent, i.e., H is 

Hi n2 



ThA T,AhC[A] ns 

r^C[A] T,C[A]^R 

FKR ^^* 
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Then this derivation reduces to: 

Ha n^ 

U^ r,AhC[A] r,A,C[A]hR 
Th A T,Ah R ^^* 

tVr ^""^ 

The derivation 113 is obtained by weakening lis with A (Lemma 12. 4p . Both cuts can be 
removed by induction hypothesis (the upper cut fohowed by the lower cut). 
(4) Suppose the left premise of the cut ends with the id-rule: 



id 



Hi 



ThM r,Mh R 

tVr ^"* 

where M = C[Mi, . . . , Mk]i and Mi, . . . , Mk G T. In this case, we apply Lemma 13.111 
to III, hence we get a cut free derivation 11' of F h i?. D 



4. Normal derivations and decidability 

We now turn to the question of the decidability of the deduction problem T h M. This 
problem is known to be decidable for several AC theories, e.g., exclusive-or, abelian groups 
and their extensions with a homomorphism axiom |11|, [51 \T5\ [T4l [T] . What we would like 
to show here is how the decidability result can be reduced to a more elementary decision 
problem, defined as follows. 

Definition 4.1. Given an equational theory E, the elementary deduction problem for E, 
written F Ih^; M, is the problem of deciding whether the id rule is applicable to the sequent 
T \- M (by checking whether there exists an £^-context C[. . .] and terms Mi, . . . , M^ G F 
such that C[Mi, ..., M^] p^e M). 

Note that as a consequence of Proposition 13.61 and Proposition 13.71 in checking elemen- 
tary deducibility, it is enough to consider the pure E equational problem where all i?-alien 
subterms are abstracted, i.e., we have 

C[Mi, ...,Mk]^EM iff C[Fe{Mi), ..., FE{Mk)] ^e Fe{M). 

Our notion of elementary deduction corresponds roughly to the notion of "recipe" in [1], 
but we note that the notion of a recipe is a stronger one, since it bounds the size of the 
equational context. 

The cut free sequent system does not strictly speaking enjoy the "sub-formula" property, 
i.e., in blindi2) the premise sequent has a term which is not a subterm of any term in the lower 
sequent. However, it is easy to see that, reading the rules bottom up, we only ever introduce 
terms which are smaller than the terms in the lower sequent. Thus a naive proof search 
strategy which non-deterministically tries all applicable rules and avoids repeated sequents 
will eventually terminate. This procedure is of course rather expensive. We show that we 
can obtain a better complexity result by analysing the structure of cut-free derivations. 
Recall that the rules p^, eL,sign^, blind^i, blind^^a and acut are called left rules (the other 
rules are right rules). Central to the decidability results in this section is the notion of a 
normal derivation, given in the following definition. 

Definition 4.2. A cut-free derivation 11 is said to be a normal derivation if it satisfies the 
following conditions: 
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(1) no left rule appears above a right rule; 

(2) no left rule appears immediately above the left-premise of a branching left rule (i.e., all 
left rules except pi and sign^^). 

Lemma 4.3. Let II be a cut-free derivation ofT\- M. Then there is a cut-free derivation 
of the same sequent such that all the right rules appear above left rules. 

Proof. We permute any offending right rules up over any left rules. This is done by induction 
on the number of occurrences of the offending rules. We first show the case where 11 has 
at most one offending right rule. In this case, we show, by induction on the height of 11, 
that any offending right-introduction rule can be permuted up in the derivation tree until 
it is above any left-introduction rule. We show here a non-trivial case involving acut; the 
others are treated analogously. Suppose 11 is as shown below at left where p denotes a right 
introduction rule for the constructor / and A is an i?- factor of F U {M}. By the weakening 
lemma (Lemma 12. 4p . we have a derivation Ilg of L,^ h A^ with lllgl = |n3|. The original 
derivation 11 is then transformed into the derivation shown below at right: 

n. n' 



^hA r,AhM n. ni r,AhM T,Ah 

^ry^ acut p ^'^ ThA T,Ahf{M,N) 



acut 



Thf{M,N) Fh /(M,iV) 

The rule p in the right premise can then be further permuted up (i.e., if 112 or Ilg ends 
with a left rule) by induction hypothesis. 

The derivation 11' is then constructed by repeatedly applying the above transformation 
to the topmost offending rules until all of them appear above left-introduction rules. □ 

Proposition 4.4. IfT\-M is derivable then it has a normal derivation. 

Proof. Let 11 be a cut-free derivation of T h M. By Lemma 14.31 we can assume without 
loss of generality that all the right rules in IT appear above the left rules. We construct a 
normal derivation IT' of the same sequent by induction on the number of offending left rules 
inn. 

We first consider the case where 11 has at most one offending left rule. Let H be a 
subtree of 11 where the offending rule occurs, i.e., S ends with a branching left rule, whose 
left premise derivation ends with a left rule. We show by induction on the height of the left 
premise derivation of the last rule in H that S can be transformed into a normal derivation. 
There are two cases to consider: one in which the left premise derivation ends with a 
branching left rule and the other where it ends with a non-branching left rule. We consider 
the former case here, the latter can be dealt with analogously. So suppose H is of the form: 



Hi U2 

Lo 



rihJV2 TzhiVi Us 

Li h A^i ^ Lg h M' 



L, 



Li h M' 

where Li is a left rule, and IIi, II2 and II3 are normal derivations, r2 5 Fi and F3 ^ Fi. 
We first weaken lis into a derivation Ilg of F4 h M', where F4 = F2 U F3. Such a weakening 
can be easily shown to not affect the shape of the derivations (i.e., it does not introduce or 
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^l^7^M r,{M}K,M,Khiv , 

^ , \ ^ r ^ ,, ^. — ; — — te, where r,iM^/^ II-77 K 

r,(M,JV),M,A^hT r,sign(M,JC),pub(L),MhiV . 

T,{M,N)hT ^ T,s\gn{M,K),puh{L)hN ^'^"' ~ 

T,b\\nd(M,K),M,Kh N 

r,sign(blind(M,i?),ir),sign(M,i^),/?hA^ 

r,sign(blind(M,i?),i^) h iV '" ^' 

where r,sign(blind(M,i?), K) hji R. 

T A\- M 

— ^T" — T—— Is, where A is an E'-factor of F U |M| and F Ihi? ^. 
F h M ^ ' 

Figure 3: System C: a hnear proof system for intruder deduction, 
remove any rules in II3). H is then transformed into 

n2 n'3 

n, F2 hNi F4 h M' 

Fi h A^2 F2 h M' ^ 

Fi h M' ^ 

By inspection of the rules in Figure [21 it can be shown that this transformation is valid 
for any pair of left rules {Li,L2). Note that this transformation may introduce at most 
two offending left rules, i.e., if Hi and/or 112 end with left rules. But notice that the left 
premise derivations of both Li and L2 in this case have smaller height than the left premise 
derivation of Li in H. By induction hypothesis, the right premise derivation of L2 can be 
transformed into a normal derivation, say 114, resulting in 

Hi n4 

Fi h iV2 F2 h M' 



Fi h M' 



Lo 



By another application of the induction hypothesis, this derivation can be transformed into 
a normal derivation. 

The general case where FI has more than one offending rules can be dealt with by 
transforming the topmost occurrences of the left rule, one by one, following the above 
transformation. □ 

In a normal derivation, the left branch of a branching left rule is derivable using only 
right rules and id. This means that we can represent a normal derivation as a sequence 
(reading the derivation bottom-up) of sequents, each of which is obtained from the previous 
one by adding terms composed of subterms of the previous sequent, with the proviso that 
certain subterms can be constructed using right-rules. Let us denote with F 1 1-7^ M the fact 
that the sequent F h M is derivable using only the right rules and id. This suggests a more 
compact deduction system for intruder deduction, called system £, given in Figure [3l 
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Proposition 4.5. A sequent T h M is derivable in S if and only if it is derivable in C. 

Proof. This follows immediately from cut elimination for S and the normal form for S 
(Proposition IO|). D 

We now show that the decidability of the deduction problem T \\-g M can be reduced 
to decidability of elementary deduction problems. We consider a representation of terms as 
directed acyclic graphs (DAG), with maximum sharing of subterms. Such a representation 
is quite standard and can be found in, e.g., [I], so we will not go into the details here. 

In the following, we denote with st{T) the set of subterms of the terms in F. In the 
DAG representation of F, the number of distinct nodes in the DAG representing distinct 
subterms of F co-incides with the cardinality of st{T). We write pst{T) for the set of proper 
subterms of F, and write St{T) for the saturated set of F, where 

st{r) = F u pst{r) u sst{r) sst{r) = {sign(M, n)\m,n £ pst{r)} 

The set sst{T) is needed so that the saturated set is closed under the unblinding operation, 
i.e., the bottom-up application of the blind2-rule. The cardinality of St{T) is at most 
quadratic in the size of st{T). If F is represented as a DAG, one can compute the DAG 
representation of ^^(F) in polynomial time, with only a quadratic increase of the size of the 
graph. Given a DAG representation of ^^(F U {M}), we can represent a sequent F h M 
by associating each node in the DAG with a tag which indicates whether or not the term 
represented by the subgraph rooted at that node appears in F or M. Therefore, in the 
following complexity results for the deducibility problem F II-5 M (for some proof system 
S), we assume that the input consists of the DAG representation of the saturated set 
^^(F U {M}), together with approriate tags in the nodes. Since each tag takes only a fixed 
amount of space (e.g., a two-bit data structure should suffice), we shall state the complexity 
result w.r.t. the cardinality of ^^(F U {A/}). We denote with ^(S) the cardinality of the 
set S. 

Definition 4.6. Let F Ih© M be a deduction problem, where V is some proof system, 
and let n be the size of ^^(F U {M}). Let E be the equational theory associated with T>. 
Suppose that the elementary deduction problem in E has complexity 0{f{m)), where m is 
the size of the input. Then the problem F Ihx) M is said to be polynomially reducible to the 
elementary deduction problem Ih^; if it has complexity 0{n^ x f{n)) for some constant k. 

A key lemma in proving the decidability result is the following invariant property of 
linear proofs. 

Lemma 4.7. Let 11 be an C-derivation ofV \- M. Then for every sequent V h M' occurring 
in n, we have V U {M'} C ^^(F U {Af }). 

Proof. By induction on |n|. It is enough to show that for each rule p in £ other than r 

T"^ M' 
Fh A// 

we have that St{T U {AT}) = St{T' U {M']). 
The non-trivial case is the rule blind2: 

Fi, sign(blind(iV, R),K),s\gn{N, K),Rh M 

Fi,sign(blind(iV,i?),i^)hAf ^''"^^ 

where F = Fi U {sign(blind(A^, R), K)}. The premise of the rule has a term sign(A^, K) which 
may not occur in the conclusion. However, the proper subterms of 5\gn{N,K) are included 
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in the proper subterms of s\gr)(b\'\nd{N,R),K), hence both the premise and the conclusion 
have the same set of proper subterms. Notice that 5\gn(N,K) £ sst(T), since both N and 
K are in pst{T). Therefore in this case we also have that ^^(r U {M}) = St{T' U {M'}). □ 

The existence of linear size proofs then follows from the above lemma. 

Lemma 4.8. // there is an C-derivation of T \- M then there is an C-derivation of the 
same sequent whose length is at most ij^{St{T U {M})). 

Proof. We first note that any derivation of T h M can be turned into one in which every 
sequent in the derivation occurs exactly once on a branch. Our rules preserve their principal 
formula when read upwards from conclusion to premise, hence the left hand sides of the 
sequents as we go up a branch accumulate more and more formulae. That is, they form an 
increasing chain. At worst, each such rule adds only one formula from St{r U {M}). Thus, 
by Lemma 14.71 the number of different sequents on a branch is bounded by the cardinality 

of5t(ru{M}). n 

Another useful observation is that the left-rules of C are invertible; at any point in a 
bottom-up proof search, we do not lose derivability by applying any left rule. Polynomial 
reducibility of lh£ to Ih^ can then be proved by a deterministic proof search strategy which 
systematically tries all applicable rules. 

We now show that the decision problem L Ih M is polynomially reducible to the ele- 
mentary deduction problem. This proof will make use of the linear proof system C. Since 
the side conditions in some rules in C depend on II- 7^, we first need to prove this reducibility 
result for \\--ji . This is straightforward since the right introduction rules do not modify 
messages in the left hand side of the sequent, hence, if m is the number of distinct subterms 
of M, checking this deducibility relation amounts to checking at most m, instances of Ih^; 
on subterms of M. 

Lemma 4.9. The decidability of the relation \\-ti is polynomially reducible to the decidability 
of elementary deduction \\-e- 

Proof. Recall that the relation T h-ji M holds if we can derive T \- M using only right-rules 
and id. Here is a simple proof search procedure for T h M, using only right-rules: 

(1) If r h M is elementarily deducible, then we are done. 

(2) Otherwise, apply a right-introduction rule (backwards) to F h M and repeat step 1 for 
each obtained premise, and so on. If no such rules are applicable, then F h M is not 
derivable. 

There are at most n iterations where n is the number of distinct subterms of M. Note that 
the check for elementary deducibility in step 1 is done on problems of size less or equal to 

#(5t(ruM)). D 

Before we proceed with proving the main decidability result (Theorem 14. 101 below) . let 
us first define the notion of a principal term in a left-rule in the proof system C (we refer 
to Figure [3] in the following definition) : 

• (M, A'^) is the principal term of Ip 

• {M}k is the principal term of le 

• sign(M, K) is the principal term of sign 

• blind(M, A') is the principal term of blindi 

• sign(blind(M, i?), A') is the principal term of blind2 
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• ^ is the principal term of Is. 

Given a sequent T \- M and a pair of principal-term and a left-rule ( A^, p) , we say that the 
pair (A'", p) is applicable to the sequent if 

• p is Is, A^ is a factor of F U {M}, and there is an instance of p with T,N \- M as its 
premise; 

• p is not Is, A^ G r, and there is an instance of p with F h M as its conclusion. 

Let us assume that the complexity of Ih^; is 0{f{n)). Given a sequent T \- M and a 
pair of principal-term and a left-rule {N,p), we note the following two facts: 

Fl: the complexity of checking whether (A^, p) is applicable to F h M is 0{n^f{n)) for some 

constant /; 
F2: if (A^, p) is applicable to F h M, then there is a unique sequent F' h M such that the 

sequent below is a valid instance of p: 

F'hM 



FhM 



P 



Note that for (Fl) to hold, we need to assume a DAG representation of sequents with 
maximal sharing of subterms. The complexity of checking whether a rule is applicable or 
not then consists of 

• pointer comparisons; 

• pattern matching a subgraph with a rule; 

• checking equality modulo associativity and commutativity (for the rule sign); 

• and checking IHtj. 

The first three can be done in polynomial time; and the last one is polynomially reducible 
to \^E (Lemma SJ]). 

Theorem 4.10. The decidability of the relation Ih^ is polynomially reducible to the decid- 
ability of elementary deduction \\-e ■ 

Proof. Let n be the size of 5i(FU {M}). Notice that the left-rules in Figure E] are invertible 
(they accumulate terms, reading the rules bottom-up), so one does not lose derivability 
by applying any of the rules in proof search. Thus by blindly applying the left-rules, we 
eventually reach a point where the right-rule (r) is applicable, hence the original sequent 
is derivable, or we reach a "fix point" where we encounter all previous sequents. For the 
latter, we show that there is a polynomial bound to the number of rule applications we need 
to try before concluding that the original sequent is not provable. 

Let Ml, . . . , M„ be an enumeration of the set StiV U {M}). Suppose F h M is provable 
in C. Then there is a shortest derivation in F where each sequent appears exactly once in the 
(linear) derivation. This also means that there exists a sequence of principal-term-and-rule 
pairs 

{Mi„pi),...,{Mi^,Pq) 

that are applicable, successively, to F h M. Note that g < n by Lemma WM 

A simple proof search strategy for F h M is therefore to repeatedly try all possible 
applicable pairs {M',p') for each possible M' € St(T U {M}) and each left-rule p' . More 
precisely: Let j := and initialise A := F 

(1) J ■■= J + 1- 

(2) If A 11-7^ M then we are done. 

(3) Otherwise, for fc = 1 to n do 
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for every left-rule p do 

if {Mk^p) is applicable to A h M, then let Fi h M be the unique premise of p 
determined by {Mj^^p) via F2 and let A := Fi. 
(4) If j < n then go to step 1. 

If the original sequent is derivable, then at each iteration j, the algorithm (i.e., step 3) will 
find the correct pair (Mj.,pj). (Strictly speaking, the algorithm finds the j-th pair of a 
shortest derivation, and not necessarily the one given above, since there can be more than 
one derivation of a given length.) Note that the algorithm does not construct the shortest 
derivation, but at each j iteration, it will guess correctly the j-th pair of such a derivation 
if one exists. If no derivation is found after n (outer) iterations, then the original sequent is 
not derivable, since the length of any shortest derivation is bound by n by Lemma l4. 81 By 
Lemma 14.91 step 2 takes 0{n"' f{n)) for some constant o. By (FI) above, each iteration in 
step 3 takes 0{n f{n)) for some constant h. Since there are at most 6n distinct principal- 
term-and-rule pairs, this means step 3 takes 0(6re "''^/(n)). Therefore the whole procedure 
takes 0{rf^^^ f{n)) where c is the greater of a and h + \. Hence the complexity of ll-£ is 
polynomially reducible to Ihg . D 

Note that in the case where the theory E is empty, we obtain a ptime decision procedure 
for intruder deduction with blind signatures. 

5. Combining disjoint convergent theories 

We now consider a slightly more general intruder deduction problem than the previ- 
ous sections: we shall allow any AC convergent theory which is obtained from a union of 
pairwise disjoint convergent AC theories. That is, the AC theory E in this case can be 
a disjoint combination of AC convergent theories Ei,... ,En, where each theory Ei may 
contain an associative-commutative binary operator, which we denote with ©j. We show 
that the intruder deduction problem under E can be reduced to the elementary deduction 
problem of each E^. The notions of subterms, factors, alien terms, etc., carry over to this 
more general setting, but we shall be mostly concerned with the constituent theories Ei^s, 
so we shall be speaking of £'j-alien terms, -Ej-factors, etc. 

The sequent system S needs to be modified slightly to accomodate this combination of 
theories. Throughout this section, we shall consider a sequent system V, whose rules are 
those of S, but with id replaced by the rule id^;. below left and with the rule acut below 
right: 

M^EC[Mi,...,Mk] 

C[ ] an £'j-context, and Ml,... ,Mfc G F , T\-N T,N\-M 

id-E, 77-; — TT acut 



F h Af ' F h M 

where N is an E'j-factor of F U {M}. Notice that the sequent system S is then just a special 
case of T> where E contains only a single AC operator. Note that in the proviso of the iti^;. 
rule, we require that M k.^ C[Mi, . . . , M^]. However, as a consequence Proposition 13.61 and 
Proposition 13.71 we have 

M ^E C[Mi, . . . , Mfc] iff C[Fe{M,), . . . , FE{Mk)] ^e Fe{M) 

iff C[Fe{Mi), ..., FE{Mk)] ^E, Fe{M). 

That is, in applying the idEi rule, one can abstract all the E'j-alien subterms from the 
sequent and check for equality in the theory £^j, rather than E. 
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A straightforward adaptation of the proof of Proposition 12.71 gives an analog of it for 
V. 

Proposition 5.1. The judgment V \- M is derivable in the natural deduction system J\f, 
under theory E, if and only ifT\^\- M\. is derivable in the sequent system V. 

Cut ehniination also holds for D. Its proof is basically the same as the proof for S, 
since the "logical structures" (i.e., those concerning constructors) are the same. The crucial 
part of the proof in this case relies on the variable abstraction technique (Proposition 13.61 
and Proposition 13. 7p . which applies to disjoint combination of theories. We can then prove 
the analog of the decomposition lemmas (Lemma 13.91 and Lemma l3.10p . given below. 

Lemma 5.2. Let X and Y be terms in normal form and let f be a binary constructor. If 
T, f{X, Y) \- M is cut-free derivable, then so is T,X,Y \- M . 

Proof This is proved analogously to Lemma |3.9[ □ 

Lemma 5.3. Let Xi, . . . ,Xfc be normal terms and let U be a cut-free derivation of 

r,/(Xi,...,Xfc)ihM, 

where f S S^;. . Then there exists a cut-free derivation H' ofT,Xi, . . . ^X^ \~ M. 

Proof. By induction on |nj. As in the proof of Lemma 13.101 we do case analyses on the last 
rule of n. The cases involving constructors are the same as in the proof of Lemma 13.101 
The non-trivial cases are when 11 ends with either id or acut. 
• Suppose n ends with idE^'- That is, we have 

C[/(Xi,...,Xfc)r,Mi,...,M,]«M 

for some £j-context C[. . .]. If i = j then / € Tje- and the sequent P, Xi, . . . , X^ h M is 
provable by an application of idE^ using the ii^j-context C[/(. . .)", . . .]. 

Otherwise, we have that i ^ j. Let R = f{Xi, . . . ,Xfc)4 . There are two subcases to 
consider: 

— i? is an E'j-alien term. Suppose v{R) = x. Then by Proposition 13.61 we have 

Fe^ (C7[i?", Ml, ... , Ml]) = C7[x", Fe^ (Mi), . . . , Fe^ (Mi)] -^* Fe^ (M). 

If X does not occur in Fe (M) then, using the same line of arguments as in the proof 
of Lemma 13.91 it can be shown that 

C[Xi,Mi,...,M;]«M, 

hence 11' in this case is a simple application of idE ■ 

Otherwise, if x does occur in Fe (M), then it can be shown that there exists R' = R 
such that either R' = M or R' is an £^j-factor of M. For the former case, 11' is simply 
an application of the id^;. rule, since f{Xi, . . . ,Xk) ~ M. For the latter case, we can 
apply the acut rule to abstract R' from M: 

f{Xi,...,Xk)^R' .^^ C[R'^,M^,...,Mi]^M .^^ 
r,Xi,. . . ,Xk\- R T,R ,Xi,. . . ,Xk\- M 

r,Xi,...,XfchM '"'^''^ 

— R is not an E'j-alien term, i.e., R is headed by some g a Ej. This means that R is an 
£'j-alien term. Since f{Xi, . . . ,Xk) — >* R, again using variable abstraction, it can be 
shown that there exists R' = R such that either R' = Xp or R' is an £'j-factor of Xp. 
In either case, it is easy to construct a derivation of P, Xi, . . . , X^ \~ M. 
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Suppose n ends with acut 

Hi Ha 

T,f{X^,...,Xk)ihA T,f{X^,...,Xk)i,AhM 



acut 



r,/(Xi,...,Xfc)|hM 

where A is an E'j-factor of f{Xi, . . . , Xk)-l ■ Note that A in this case must be headed by 
a function symbol not in Eg.. 
If i = j then we have 

f{Xi,...,Xk)i=C[g{...A...)] 

for some context C[. . .] and some g € S^;.. Again, using variable abstraction, it can be 
shown that there exists A' = A and some Xp such that either A' = Xp or A' is an Ei- 
factor of Xp. For the former case, the derivation 11' is obtained by applying the induction 
hypothesis to Ha. For the latter case, the derivation 11' is constructed as follows 

n'l n'2 

T,X,,...,XkhA' T,X,,...,Xk,A'hM 

r,Xi,...,XfchM ''''''^ 

where H'l and 112 ^^^ obtained from the induction hypothesis, followed by applications of 
Lemma I3.8[ 

If i ^ j, then g S^;. and therefore g(. . . A . . .) is an £'j-alien term. In this case, there 
must exist B = g(. . . A. . .) such that B is a subterm of some Xp. In other words, A is 
an E'j-factor of Xp. So 11' in this case is constructed as in the derivation figure above. □ 

We state the theorem below and omit the proof since it is a straightforward adaptation of 
the cut elimination proof for S. 

Theorem 5.4. The cut rule is admissible for T>. 

Proof. Analogous to the proof of Theorem I3.12t making use of Lemmas 15.21 and 15. 3[ □ 

The decidability result for S also holds for V. Its proof is basically the same as the 
decidability result for S. That is, we first show that derivations in T> admits the same 
normal form as in 5. It then remains to design a linear proof system for T>. This is the same 
as C, except that the side condition of Is is modified slightly: 

r,iVhM 

— Is 

FhM ^ 

where N is an E'j-factor of F U {M} and and F Ih-;^ A^. We denote with CD the linear 
proof system obtained from C by changing the Is rule to the above one. Then the following 
proposition is straightforward. 

Proposition 5.5. Every sequent T \- M is derivable in T) if and only if it is derivable in 
CV. 

The notion of polynomial reducibility is slightly changed. Suppose each elementary 
deduction problem in Ei is bounded by 0{f{m)). Let m be the size of 5i(FU{M}). Then the 
deduction problem F Ih© M is polynomially reducible to ll-^;^, . . . , W-e^ if it has complexity 
0{m f{m)), for some constant k. Note that here we only talk about the maximal complexity 
of the elementary deduction in the constituent theories, and not the elementary deduction 
in the combined theory £', which may be higher. 
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Theorem 5.6. The decidability of the relation Wcv is polynomially reducible to the decid- 
ability of elementary deductions \\-Ei, ■ ■ ■ , !!"£„• 



6. Deducibility constraints for Dolev-Yao intruders 

We now consider a constraint problem that arises from analysis of security protocols for 
a bounded number of sessions. This typically assumes an active intruder which can synthe- 
size messages from a set of known messages, intercepted during runs of protocols, to affect 
the running of the protocols. Since there could be infinitely many such messages, these need 
to be represented symbolically as variables. As have been shown in a number of previous 
works [201 [71 [To], the problem of finding an attack on a protocol for a bounded number of 
sessions (typically, violation of secrecy or authentication properties) can be mapped into 
the problem of solving deducibility constraints. The latter are essentially a list of sequents, 
possibly with occurrences of variables, and finding attacks to a protocol then correspond to 
finding substitutions to the variables such that the instances of the sequents under those 
substitutions are derivable in the inference system modeling the intruder's abilities. We 
shall not delve into the specifics of the mapping from protocol analysis into deducibility 
constraints; the interested reader can consult the existing literature on the subject, e.g., 
|201ll0j. In this section, we report on our preliminary study on how sequent calculus can be 
applied to solve the deducibility constraint problem in a limited setting, where the intruder 
model does not assume any equational theories. For future work, we intend to study the 
more general deducibility constraint problems involving AC convergent theories. 

We note that the main results in this section have been formally verified in the Is- 
abelle/HOL proof assistant. The proof scripts are available via the web (given in the 
introduction) . 

We shall be concerned only with Dolev-Yao intruders in this section, i.e., we restrict to 
the constructors (., .) and {.}., and an empty equational theory. For this class of intruders, 
the deducibility constraint problem has been shown decidable in several existing works [711201 
[2H IIOJ. In particular, our constraint reduction rules bear some similarity with the reduction 
rules in [20]. We shall, however, prove a stronger result, which is that every deducibility 
constraint system is satisfiable if and only if it can be transformed into a certain solved 
form, in which its solvability is immediate. A procedure for this transformation has been 
given recently in [lOj using a natural deduction formulation of the intruder model. Our aim 
here is to illustrate how the sequent calculus can be used to solve the deducibility constraint 
problem. 

Note that since we restrict to Dolev-Yao intruders, the rule acut becomes redundant, 
since there could be no E'-factors in messages composed using constructors alone. Therefore 
in this case, the sequent system S can be simplified to the one given in Figure [H 

Definition 6.1. A deducibility constraint is an expression of the form S Ih' M (called a 
proper deducibility constraint) or S Ih^j M (called a right- deducibility constraint), where S 
is a set of messages and M is a message. S here is called the left side of the constraint and 
M its right side. We write S ll~;m M to denote a constraint generally without referring to 
its specific form. 

Intuitively, the constraint T, \\-' M denotes the problem of finding a derivable instance 
of the sequent S h M, while the constraint S Ih^ M denotes the problem of finding an 
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Mer r,(M,iV),M,JVhr rhM rhiv 

rhM^^ r, (M,Af)hr rh(M,iv) 

T,{M}k^K T,{M}K,M,KhN ^ FhM T h i^ ^ 

r,{M}xHiV ^ rh{M}^ "^ 

Figure 4: Sequent system for Dolev-Yao intruders 

instance of the sequent S h M that is derivable using only the identity and the right- 
rules. The separation of constraints into these two kinds is motivated by the structure 
of normal derivations, which separates proof search into general deducibility and right- 
deducibility. Indeed, our decision procedure for solving constraints exploits the structure of 
normal derivations. 

If C is a list of constraints, then V{C) denotes the set of variables occuring in C. A 
substitution is a mapping from variables to terms. It is extended to a mapping from terms 
to terms in the usual way. We denote with dom{6) the domain of the substitution 6, and 
ran{9) denotes its range. We denote with e the substitution with empty domain, i.e., the 
identity map on variables. A substitution ^ is a ground substitution if 9{x) is a ground 
message for every x € dom{9). Application of a substitution ^ to a message M is written in 
a postfix notation, i.e., MO. This notation generalises to sets of terms, sequents, constraints, 
etc., in the obvious way, e.g., TO denotes the set of messages obtained from applying the 
substitution to each member of the set. Composition of substitutions is written o p and 
is defined as M{0 o p) = {MO)p. 

Definition 6.2. A ground substitution is a solution to a list of deducibility constraints 
C\i 

• for every S Ih- M G C, we have T.0 Ih MO, and 

• for every S l^-j M G C, we have S6' IHr MO. 

We say that C is satisfiable if there is a solution for C. 

Given a list of constraints C and an index i, we write C* to denote the prefix of C of 
length (i — 1). So, if C is, for example, 

(Silh- Mi);(S2lh- M2);(S3lh- Ms) 

then C^ is the empty list; C^ is the singleton list (Si Ih' Mi). Obviously, if is a solution 
for C then it is also a solution for any of its prefixes. 

In the following, given Si and S2, we write Si Ih S2 if Si Ih M for every M E S2. 



Definition 6.3. A deducibility constraint system C is a list of deducibility constraints 

Silh(^)Mi;--- ;S„lh[^)M„ 

such that: 

(1) For i < j if S^^ is obtained from Sj by deleting messages which contain a variable not 
in any message in Sj, then for all solutions to C^ , Tij'O Ih Sj^. 
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(2) For every variable x G V{C), there exists Sj lh;m Mi such that x G V{Mi), x V^(Sj), 
and for every j < z, x y(Sj 11-;^ Mj). The index i in this case is called the order of 
X and will be denoted by Ord{x). 

Remark 6.4. A commonly used definition of deducibility constraint systems (in the natural- 
deduction-based approach) imposes a condition that the lefthand sides of the constraints 
(the Sj's) are ordered by set inclusion (see e.g., [211 [10]). This condition captures the fact 
that the knowledge of the intruder increases with time as it accumulates more messages. 
Our definition of a deducibility constraint system is slightly different in this respect. We 
capture this monotonicity condition via the deduction relation itself. This is somewhat 
more complicated than the natural deduction counterpart, but it is essentially imposed by 
our choice of the reduction rules on constraints: a natural choice of the reduction rules is 
one which mimics closely the inference rules of the proof system, hence we allow decom- 
position of messages on both the lefthand sides and the righthand sides of constraints, in 
contrast to the natural-deduction-based approach where decomposition of messages hap- 
pens only on the righthand sides. Note that in Condition [1] in Definition 16.31 if the lefthand 
sides of the constraints are totally ordered by set inclusion, then Ti'^'" 5 Sj, hence trivially, 
T,'^'"6 Ih Sj0. Therefore, our definition of deducibility constraint system subsumes that used 
in the natural-deduction-based approaches. 

Definition 6.5. A deducibility constraint system C is in solved form if every element in C 
is of the form S h'^ x for some S and variable x. 

For simplicity, we shall assume that in a deducibility constraint system C 



~{r) Mi;--- ;I!„ Ih^^^ 



Silh „^Mi;--- ;E„lh .^M„ 



there is a name, say a, that is in every Sj. As a consequence, if C is in solved form, then 
it is trivially solvable: simply instantiate every variable in V{C) to a. This assumption is 
harmless as far as reasoning about protocols is concerned, since in this setting, the intruder 
is usually assumed to have access to infinitely many "environment" names. Some work in 
the literature, e.g., [7J, chooses to make this explicit by adding a special inference rule for 
deriving environment names. 

The goal of this section is to show that every deducibility constraint system can be 
transformed into a deducibility constraint system in solved form, preserving the set of 

solutions. 

/I 
Definition 6.6. The family of relations ^^, where is a substitution, relate lists of con- 
straints and are defined below. If 9 is the identity substitution we write -^ instead of 
e 

7 

CI: Ci; S lh]:j M; C2 '^ CiO; C2O, if M is not a variable and there exists A^ € S such that 

e = mgu{M,N). 
C2: Ci; S lh]j f{M,N); C2 ^ Ci; S lh]j M; S Ihjj A^; C2, where / is either (., .) or {.}.. 

C3: C7i; S Ih- M; C2 -^ Ci; S Ih-j M; C2. 

C4: Ci;(S,(M,Af) Ih- [/); C2 ^ Ci; (S,M, A^ Ih' [/); C2, where {M,N) ^ S. 

C5: Ci; (S, {M}n Ih- U); C2 ^ Cr, (E, {M}n \^rN); (S, M, A^lh- U); C2, where {M}n ^ S. 

Notice that in C4 and C5, when M and A^ are already in S, then these steps are 
essentially a weakening step, as they remove a pair or an encrypted message from the 
lefthand side of a constraint. Notice also that the reduction is defined on lists of constraints. 
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not just constraint systems. But as we shall see later, the reduction does preserve the 
property of being a deducibility constraint system. This preservation will be used in proving 
the completeness of the reduction rules for deducibility constraint systems. 

Lemma 6.7 (Soundness). Let C he a list of constraints and suppose C ^^ C . If C is 
solvable then C is also solvable. Moreover, if a is a solution for C then 6 o a is a solution 
forC. 

Proof. The reduction rules CI to C3 are obviously sound (CI relies on the properties of 
mgu). For C4 and C5, we need to apply the weakening lemma (Lemma I2.4p . □ 

An immediate consequence of Lemma 16.71 is that, if C rewrites to a solved form, then 
C is satisfiable, and a solution for C can be computed by composing the substitutions 
associated with the reduction. 

Lemma 6.8. //Ci; S Ih' M; C2 is reducible, and S C S' then Ci; S' \\-' M; C2 is reducible. 

g 

Lemma 6.9. If C is a deducibility constraint system and C -^ C then C is also a de- 
ducibility constraint system. 

Proof. Condition [Tj of Definition 16.31 requires that, for constraints Sj ll~;m Xi and T,j ll~;m 

Xj, for all solutions a of C\ T.'^^a Ih SjO", where E^" is Sj, modified by deleting messages 
containing variables which are not in Sj. 

We first note that this property is preserved by a substitution which arises in the 

g 

reduction rule CI. Suppose C '^ C by rule CI, and let cr be a solution for C. Then, by 
Lemma 16.71 ^ o a is a solution for C, hence also a solution for C^ . So we have T,j(9 o a) Ih 
Tii{9oa), and we require {T,j6)'^'"a Ih {T,i9)a, where (TijO)'^^ is obtained by removing from T,j6 
messages containing variables which are not in T,i6. But if AI9 is such a message, then M 
must contain variables which are not in Sj, and so M has been removed in constructing S^^ 

from Sj. Therefore T,f9 C (Sj6i)"'^ and so T,f{9oa) Ih Si(6'oa) implies (Sj6')'^''ocj Ih (Si6')(T. 

Reduction rules C2 and C3 do not change the left-hand side of a constraint, so the only 
issue they raise is that C2 produces two constraints from one — this gives an additional 
case of constraints Sj lh;ps Xi and T,j \\~}n\ Xj. However here, Sj = Sj which satisfies this 
requirement. 

Reduction rule C4: Consider the requirement that S^^cj Ih T^a. If Sj is changed 
to S^ by an application of rule C4, then we have Sjcj Ih T,[a and so T.'j^a Ih S^cr. (It 

dv 



is also necessary to observe that S^ contains the same variables as does Sj, and so S , 
defined relative to S^, is the same as S^*", defined relative to Sj). If Sj is changed to S'- 
by an application of rule C4, then we have S'cr Ih Sjcr. Further, note that when, say, 
T.J = n,{M,N), and T.'- = n,M,N, if either M or iV is deleted in forming J^f", then 
(M, N) is deleted in forming T,f. Thus we get E'f^a Ih J^fa and so J^f^'a Ih Sjcj. 

Reduction rule C5: In part, the argument is similar to that for C4. If Sj is subject 
to an application of rule C5, say Sj = fi, {M}jv then the first new constraint resulting is 
O, {M}i\f Ih]^ N, which has the same left-hand side. The second new constraint resulting is 
Q, MN lh]:j Xi, and we have that if ct is a solution of C" (and so (fi, {M}jv)o" Ih Na) then 
we get (0,{M}Ar)o- Ih {n,MN)a, and so Sf a Ih {n,MN)a, as required. 

If Tij is subject to an application of rule C5, then the argument is similar to that for 
rule C4. 
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Finally if we consider the two constraints resulting from rule C5, it is easy to check 
that the condition holds. 

Condition [2] of Definition 16.31 is that any variable appears on the right-hand side of 
a constraint before it appears on the left-hand side of any constraint (equivalently, any 
variable which in the left-hand side of any constraint appears in an earlier constraint). 

We first show that this property is preserved by any substitution. Consider a constraint 
system Si ll~;m -^i; • • • ; S„ ^^(r) ^n and a substitution 9. Let x be in S^^. Then for some 
y in Sfc, a; is in y9. Now as y must be in some earlier Xj (j < A;), x is in Xj6, as required. 
Reduction CI consists of a substitution, then deleting a constraint S Ih^j M for which 
M G S. Clearly deleting such a constraint also preserves condition [2] of Definition 16. 3i 

It is straightforward to check that condition [2] is preserved by reductions C2 to C5.n 

Given a term M, we denote by |M| the size of the term M. Given a set of terms S, 
define |S| = Ea/gs 1^1- 

Definition 6.10. Let S be a set of messages. We define a measure on deducibility con- 
straints, denoted by | • | as follows: 

|S Ihjj M\ = (0, \M\) |S Ih- M\ = (1, |S|) 

Deducibility constraints are ordered by lexicographical ordering on their measures. 
The measure of a deducibility constraint system C, denoted by \C\, is 

\C\ = {#V{C),S) 

where S is the multiset of measures of the deducibility constraints in C. There is a well- 
founded ordering on constraints systems, i.e., one which is obtained by lexicographical 
ordering on \C\, where the first component is ordered according to < on natural numbers, 
and the second component is ordered according to multiset ordering (parameterised on the 
ordering on deducibility constraints). 

Lemma 6.11 (Termination of constraints reduction). For every constraint system C, there 
is no infinite reduction sequence starting from C. 

Proof. It is enough to show that each instance of the rewrite rules CI to C5 reduces the 

measure on constraint systems. That is, we show that whenever C "-^ C then \C'\ < \C\. For 
CI, by the properties of mgu, the number of variables in C" is smaller than or equal to the 
number of variables in C, but the number of deducibility constraints in C is smaller than C, 
so \C'\ < \C\. All other cases are straightforward from Definition 16.61 and Definition 16. 101 H 

In the following, a rewrite sequence such as 

Ol '^^ L/2 '^-> • • • '^~-> L-n 

shall be abbreviated as Ci ==r- Cn where 6 = 9io ■ ■ ■ o 6n-i- Given two substitutions 6 and 
(T, and a set of variables F, we write 

9=v'J 
when 9 and a coincide on V. 

Lemma 6.12 (Completeness). Let C he a constraint system and let 9 he a solution for C. 
Then there exists a rewrite sequence C =^ C such that C is in solved form, 9 =v(C) ^°7: 
and J is a solution for C . 
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Proof. We prove this by induction on \C\. If C is in solved form (this includes the case where 
C is empty), then let C = C and let 7 = and a be the identity substitution. Otherwise, 
since is a solution for C, for every S ll-;m M G C, we have S0 ll-(^) MO. Without loss 
of generality, we assume that all derivations are in normal form. We construct a rewriting 
sequence on C by examining the last rule of a selected constraint in C. 
By definition, elements of C can be listed as 

Silh(^)Mi;--- ;S„lh(^)M„ 

Let i be the maximal index such that C* is in solved form. We shall select the constraint 
Sj ll~;^\ Mi as a candidate for reduction. 

We now proceed to showing that it is always possible to apply a rewrite rule to the 
selected constraint such that C ~> D, for some constraint system D, and such that 9 = po/3, 
and /3 is a solution of D. There are several possible rewritings on the selected constraint, 
depending on the last rule of the normal derivation of the selected constraint: 

(1) Suppose the selected constraint is a right-deducibility constraint, and suppose that there 
is a normal derivation of Sj^ h Mi9 ending with an id. That is, MiO = NO for some 
N G Tii. Let p = mgu{Mi, N). Then rewrite C using CI: 

C = &; (Si \V\ Mi); Ci -^ CV; Cip = D 

Obviously, 6 = po /3 ior some /?, and /3 is a solution to D. 

(2) Suppose the selected constraint is Sj ll-)j f{M,N), where / is either (.,.) or {.}., and 
the normal derivation of Sj0 h f{M9,N9) ends with a right-introduction rule. The 
latter means that Sj0 Ih^ M9 and Sj0 Ih/j N9. Then rewrite C using C2: 

C = &; (Si \Y-\ f{M, N)); Ci ^ &; (S Ih^ M); (S Ihjj N); Ci = D. 

Obviously, 9 is also a solution to D, so in this case, p = e and f3 = 9. 

(3) Suppose the selected constraint is Sj Ih' Mi but the normal derivation of Sj0 h MiO 
ends with a right-rule. The latter means that Sj0 Ihjj MiO. Then rewrite C using C3: 

C = C; (Si Ih- Mi); C7i ^ &; (Si Ih^ M,); Ci = D. 

Obviously, is also a solution to D, so p = e and f3 = 0. 

(4) Suppose the selected constraint is a proper deducibility constraint and suppose there 
exists M E Sj, i.e., Sj = S^ U {M}, such that M is not a variable, and there is a normal 
derivation of Ti'^0,MO h MiO ending with a left rule applied to AIO. Since M is not a 
variable, it must be either a pair {Ni,N2) or an encrypted term {Ni}]^^. 

• If M = {Ni,N2), then, by normal derivability of T,[0, MO h M^O, we have that 

T.'iO,MO,NiO,N20\'r MiO. 
Note that by Lemma 13.9^ we also have 

T.[0,NiO,N20h M^O. 
In this case, apply the rewrite rule C4: 

C = C; (S^, M Ih- Mi); Ci -^ &; (S^,iVi,iV2 IH' M,); Ci = Z). 
Then is obviously a solution for D. As in the previous case, let p = e and f3 = 0. 
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• li M = {Ni}n2 then we have 

T.'i0, M0 \^R N2e and T,'^9, M9, Ni9, N29 Ih Mi9. 
By Lemma 13.91 we also have 

In this case, apply the rewrite rule C5: 

C = r ; (S^, M !h- Mi); Ci ^ C; (S^, M lh|j iVs); (S',, iVi, A^a IK' M^) = D. 

It is clear that 9 is also a solution to I?, so let /? = e and /3 = 9. 

Note that in both cases, Lemma \3M does not need to be applied if M0 G T,[0, since in 
this case we have 

(S^ U {iVi,iV2})^ = (S^ U {M,Ni,N2})9. 
(5) Suppose the selected constraint is 

S-,xi,... ,Xn !!-• Mj 

where S^ contains only non- variable terms. Note that since C* is in solved form, and 
since C is a deducibility constraint system, it must be the case that each x/^ appears in 
the righthand side of a constraint in C* o Obviously, any two distinct variables Xk and xi 
cannot be the same righthand side, therefore, without loss of generality, we assume that 
Ord{xk) < Ord{xi) whenever k < I. Notice that by well-formedness of C, Ord{xi) < i 
for every I € {1, . . . , n}. 

Suppose that there is a normal derivation 11 of the sequent 

^ie,xi9,...,Xn9h Mi9 (6.1) 

which ends with a left rule applied to one of Xk9. We first show that the following 
sequent is derivable 

Si6l h Mi9. (6.2) 

To derive the above sequent, we first note the following facts: 

(a) Since C* is in solved form, we have for each k £ {1, . . . ,n}, (So(fe) '^ij ^k) £ C**, 
where o{k) is the order of Xk, hence 

So(fc)^ lt"i? Xk9. (6.3) 

(b) Let T,^ = 'E'^U {xi, . . . , x^-i} for k < n. Since C is a deducibility constraint system, 
by Definition [G^SJH]) , there exists il^ C E^ such that V{Q,k) ^ ^(^o{fc)) ^iid 

^k9 IK ^o{k)(^ 

by definition, hence by weakening (Lemma 12. 4p . Tj^9 Ih Tjgff^\9. Then by several 
applications of cut (using Sequent (16. 3p above), we get 

Sf Ih Xk9 (6.4) 

for any k < n. 



More precisely, since C is a deducibility constraint system, it must be the case that each Xk appears in 
the righthand side of a constraint in C", and since C* is in solved form, each Xk is the righthand side of a 
constraint in C". 
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Applying cuts successively using instances of Sequent (j6.4p and Sequent (16. ip , we obtain 
Sequent (j6.2p as required. 

Then consider a normal derivation of Sequent (j6.2p . The arguments of the previous 
cases show that the constraint S^ Ih' Mi would admit a reduction. It follows trivially 
(similarly to Lemma [6^ that the enlarged sequent T,[,xi, . . . ,Xn II"' M^ would admit 
a reduction. 

Since rewriting reduces the size of the constraint system, by induction hypothesis D =^ C' 
such that C is in solved form, f3 =v(D) p' ° l' ^'iid 7' is a solution for C". Now let a = po p' 
and let 7 = 7'. Then we indeed have C =^ C, 9 =v{c) <7 ° 7 and 7 is a solution for C D 

Theorem 6.13 (Decidability of deducibility constraints). Given a deducibility constraint 
system C , it is decidable whether or not the constraint is satisfiable. 

Proof. This is a consequence of Lemma fG.lH Lemma [6. 7^ Lemma [6.121 and the fact that the 
rewrite system -^ is finitely branching. □ 

To conclude this section, we shall comment briefly on the main differences between our 
approach and that of Comon-Lundh, et. al., [lOj. Apart from the difference in the way we 
impose the monotonicity condition (see Remark 16. 4p . the main difference is of course in the 
reduction ruleso In their work, no explicit decomposition is applied to the left-hand side 
of a constraint. Instead, they allow uniflcation of arbitrary subterms in a constraint. Our 
reduction rules, on the other hand, have a direct correspondence with the inference rules 
of the proof system itself. This could perhaps be beneficial when dealing with theories for 
which the subformula property does not hold, e.g., when it involves blind signatures, where 
exhaustive unification tests on subterms may not be sufficient to get completeness. 

7. Conclusion and related work 

We have shown that decidability of the intruder deduction problem, under a range of 
equational theories, can be reduced to the simpler problem of elementary deduction, which 
amounts to solving equations in the underlying equational theories. In particular, this 
reduction is obtained in a purely proof theoretical way, using standard techniques such as 
cut elimination and permutation of inference rules. We show that sequent-based techniques 
can also be used to solve the deducibility constraint problems, for Dolev-Yao intruders. 

There are several existing works in the literature that deal with intruder deduction. 
Our work is more closely related to, e.g., [11^ IT^ I19j . in that we do not have explicit 
destructors (projection, decryption, unblinding), than, say, (HIS]. In the latter work, these 
destructors are considered part of the equational theory, so in this sense our work slightly 
extends theirs to allow combinations of explicit and implicit destructors. A drawback for the 
approach with explicit destructors is that one needs to consider these destructors together 
with other algebraic properties in proving decidability, although recent work in combining 
decidable theories [3| allows one to deal with them modularly. Combination of intruder 
theories has been considered in [9l [3], [16], as part of their solution to a more difficult 
problem of deducibility constraints which assumes active intruders. In particular, Delaune, 
et. al., [16] obtain results similar to what we have here concerning combination of AC 



They also consider a slightly richer intruder model, containing asymmetric encryption and signing. But 
it is easy to extend our work to accomodate these additional operators. 
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theories. One difference between these works and ours is in how this combination is derived. 
Their approach is more algorithmic whereas our result is obtained through analysis of proof 
systems. 

It remains to be seen whether sequent calculus, and its associated proof techniques, 
can prove useful for richer theories. For certain deduction problems, i.e., those in which the 
constructors interact with the equational theory, there do not seem to be general results 
like the ones we obtain for theories with no interaction with the constructors. One natural 
problem where this interaction occurs is the theory with homomorphic encryption, e.g., like 
the one considered in [19]. Another interesting challenge is to see how sequent calculus can 
be used to study the more difficult problem of solving intruder deduction constraints under 
richer intruder models, e.g., like those studied in jll^lHlfTS]. An immediate avenue for future 
work is to prove the same results as in Section [6l in particular, the transformation to solved 
forms, but for the intruder model with blind signatures. 

It may be of proof theoretic interest to study the exact complexity of the cut elimi- 
nation procedure and the translation from natural deduction to sequent calculus, although 
these results are not needed in establishing the complexity results for the intruder deduc- 
tion problem. We leave the complete study of the complexity results for these derivation 
transformations to future work. 
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